Bug 918187 – VUL-0: CVE-2014-8121: glibc: denial of service issue in the NSS backends

Bug 918187 - (CVE-2014-8121) VUL-0: CVE-2014-8121: glibc: denial of service issue in the NSS backends

(CVE-2014-8121)
Summary:	VUL-0: CVE-2014-8121: glibc: denial of service issue in the NSS backends

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	All Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Andreas Schwab
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:NVD:CVE-2014-8121:5.0:(AV:N/AC...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2015-02-17 11:45 UTC by Lars Müller
Modified:	2019-08-28 22:45 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Development
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
proposed patch (7.61 KB, patch) 2015-02-17 11:45 UTC, Lars Müller	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lars Müller 2015-02-17 11:45:56 UTC

Created attachment 623528 [details]
proposed patch

From: Florian Weimer <fweimer@redhat.com>                                       
To: linux-distros@vs.openwall.org                                               
Cc: security@samba.org                                                          
Date: Tue, 17 Feb 2015 11:52:05 +0100                                           
Subject: glibc denial of service issue in the NSS files backend (CVE-2014-8121) 

Robin Hack of Red Hat discovered that Samba 4.1 smbd would enter an
infinite loop, allocating more and more memory, eventually triggering
the OOM killer, when processing a request sent by smbcquotas.

We tracked this down to a glibc bug in the file backend of the glibc
Name Service Switch.  getpwuid resets the file pointer used by getpwent.
 The code which intends to compensate for that never runs because a
variable is incorrectly initialized.  The attached patch fixes this.

With Samba 3.6.23, we could reproduce the denial of service only with a
substantial number of accounts in /etc/passwd.  With a small number of
accounts, the command completes.  Apparently, the UID caching behavior
has changed inside smbd, so that it still makes progress even though
processing the password file still starts from the beginning for every
user.  With Samba 4.1.1, we see an infinite loop.

I'm Cc:ing the Samba team as a courtesy.  It's not a Samba bug, so I
don't think it makes sense to work around it there (although the
smbcquotas handling code remains rather inefficient).

Coordinated disclosure date is 2015-02-23.  Then I'll file a public bug
in the glibc bug tracker and post the attached patch for review.

--                                                                              
Florian Weimer / Red Hat Product Security

Comment 1 Johannes Segitz 2015-02-17 11:54:16 UTC

CRD: 2015-02-23

Comment 3 Andreas Schwab 2015-02-17 16:38:22 UTC

I don't think this patch is correct.

Comment 4 Swamp Workflow Management 2015-02-17 23:00:14 UTC

bugbot adjusting priority

Comment 9 Johannes Segitz 2015-02-25 10:47:26 UTC

public

Comment 10 Marcus Meissner 2015-03-06 14:39:08 UTC

is there an upstream fix now?

Comment 11 Andreas Schwab 2015-03-09 07:51:24 UTC

No, not yet.

Comment 12 Andreas Schwab 2015-03-26 10:42:24 UTC

The initial analysis is incorrect, the real problem is the sharing of state between the getXXent and the getXXbyYY NSS functions in the backends.

Comment 13 Bernhard Wiedemann 2015-04-01 10:00:07 UTC

This is an autogenerated message for OBS integration:
This bug (918187) was mentioned in
https://build.opensuse.org/request/show/293891 Factory / glibc

Comment 14 Swamp Workflow Management 2015-05-27 19:05:13 UTC

openSUSE-SU-2015:0955-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 917539,918187,920338,927080
CVE References: CVE-2014-8121,CVE-2015-1781
Sources used:
openSUSE 13.2 (src):    glibc-2.19-16.12.1, glibc-testsuite-2.19-16.12.4, glibc-utils-2.19-16.12.1
openSUSE 13.1 (src):    glibc-2.18-4.32.1, glibc-testsuite-2.18-4.32.3, glibc-utils-2.18-4.32.2

Comment 18 Andreas Stieger 2015-08-17 08:53:56 UTC

In an upstream release:
http://lists.gnu.org/archive/html/info-gnu/2015-08/msg00004.html

The GNU C Library version 2.22 is now available.
[...]
* CVE-2014-8121 The NSS backends shared internal state between the getXXent
  and getXXbyYY NSS calls for the same database, causing a denial-of-service
  condition in some applications.

Comment 19 Swamp Workflow Management 2015-08-21 16:11:07 UTC

SUSE-SU-2015:1424-1: An update that solves three vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 830257,851280,918187,920338,927080,928723,932059,933770,933903,935286
CVE References: CVE-2013-2207,CVE-2014-8121,CVE-2015-1781
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    glibc-2.11.3-17.87.3
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    glibc-2.11.3-17.87.3
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    glibc-2.11.3-17.87.3
SUSE Linux Enterprise Server 11-SP4 (src):    glibc-2.11.3-17.87.3
SUSE Linux Enterprise Server 11-SP3 (src):    glibc-2.11.3-17.87.3
SUSE Linux Enterprise Desktop 11-SP4 (src):    glibc-2.11.3-17.87.3
SUSE Linux Enterprise Desktop 11-SP3 (src):    glibc-2.11.3-17.87.3
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    glibc-2.11.3-17.87.3
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    glibc-2.11.3-17.87.3

Comment 25 Swamp Workflow Management 2015-10-30 09:10:28 UTC

SUSE-SU-2015:1844-1: An update that solves two vulnerabilities and has 11 fixes is now available.

Category: security (moderate)
Bug References: 915955,918187,920338,927080,928723,931480,934084,937853,939211,940195,940332,944494,945779
CVE References: CVE-2014-8121,CVE-2015-1781
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    glibc-2.19-22.7.1
SUSE Linux Enterprise Server 12 (src):    glibc-2.19-22.7.1
SUSE Linux Enterprise Desktop 12 (src):    glibc-2.19-22.7.1

Comment 29 Swamp Workflow Management 2016-02-16 19:17:02 UTC

SUSE-SU-2016:0470-1: An update that solves 10 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 830257,847227,863499,892065,918187,920338,927080,945779,950944,961721,962736,962737,962738,962739
CVE References: CVE-2013-2207,CVE-2013-4458,CVE-2014-8121,CVE-2014-9761,CVE-2015-1781,CVE-2015-7547,CVE-2015-8776,CVE-2015-8777,CVE-2015-8778,CVE-2015-8779
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    glibc-2.11.3-17.45.66.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    glibc-2.11.3-17.45.66.1

Comment 30 Marcus Meissner 2016-03-18 10:04:17 UTC

i think we are done, right?